Hi Pratik,
I am sorry I missed this message.
That text only refers to the case when the same message is being provided to multiple recipients. In this case, for each pairwise communication, the key will be ephemeral and so each pairwise communication will derive a unique agreed shared key and so there's no need for nonce. You're right in that if the ephemeral key had been re-used in a particular pairwise communication then it would not have been an ephemeral key any longer.
-- Magnus
> -----Original Message-----
> From: Pratik Datta [mailto:pratik.datta@oracle.com]
> Sent: Wednesday, September 28, 2011 11:33 AM
> To: Magnus Nystrom; XMLSec WG Public List (public-xmlsec@w3.org)
> Subject: RE: How does one specify the Salt/Nonce for ConcatKDF key derivation
> in XML encryption 1.1
>
> Magnus,
>
> In XML encryption 1.1 we are using ephemeral-static D-H, not static-static D-H.
> But the XML encryption spec is saying - "The same ephemeral key may be used
> when there are multiple recipients that use the same curve parameters"
>
> If the same ephemeral key is used, does that mean we are actually using static-
> static?
>
> In the NIST 800-56A documentation, I don't see the NonceU mentioned in case
> of ephemeral-static.
> Pratik
>
> -----Original Message-----
> From: Magnus Nystrom [mailto:mnystrom@microsoft.com]
> Sent: Tuesday, September 27, 2011 8:44 PM
> To: XMLSec WG Public List (public-xmlsec@w3.org)
> Subject: RE: How does one specify the Salt/Nonce for ConcatKDF key derivation
> in XML encryption 1.1
>
> Hi Pratik,
> In the case of static-static D-H, the nonce shall be part of the PartyUInfo
> element (see NIST 800-56A: "NonceU shall be in the PartyUInfo subfield of
> OtherInfo"). As we state in the document that these attributes are defined in
> 800-56A, I don't think there's a need to make an update here.
>
> Best,
> -- Magnus
>
> > > Resent-From: <public-xmlsec@w3.org>
> > > From: ext Pratik Datta <pratik.datta@oracle.com>
> > > Date: September 19, 2011 4:18:01 PM EDT
> > > To: <public-xmlsec@w3.org>
> > > Subject: How does one specify the Salt/Nonce for ConcatKDF key
> > > derivation in XML encryption 1.1
> > >
> > > I noticed that the Legacy key derivation function has a <KA-Nonce>
> > > element,
> > PBKDF2 has a <Salt> element, but there is nothing equivalent of this
> > for ConcatKDF.
> > > Is the salt supposed to be part of PartyUInfo , PartyVInfo ?
> > >
> > >
> > > The SP800-56A says this:
> > > ------
> > > 3.2 PartyUInfo: A bit string containing public information that is
> > > required by the application using this KDF to be contributed by
> > > party U to the key derivation process. At a minimum, PartyUInfo
> > > shall include IDU, the identifier of party U. See the notes below.
> > >
> > > 3.3 PartyVInfo: A bit string containing public information that is
> > > required by the application using this KDF to be contributed by
> > > party V to the key derivation process. At a minimum, PartyVInfo
> > > shall include IDV, the identifier of party V. See the notes below.
> > > -----
> > >
> > > I am not very clear from this text whether PartyUInfo is supposed
> > > include
> > some random value.
> > >
> > > Without the salt, the derived key will turn out to be same every time.
> > >
> > >
> > > Pratik
> > >
> >
>
>